Skip to content

ECDSA versus RSA – A Comparison of Elliptical Curve Digital Signature Algorithm to RSA

14/07/2019

Since the origin of SSL, webservers generated Public/Private keys  using RSA.  However, using strong RSA keys proved slow and expensive in CPU terms.  RSA does not scale well, and slows web performance.

RSA 2048 provides around 112 bits of security.   To achieve 128 bits of security, we need RSA 3072, which is slower, and impacts upon performance.

An alternative to RSA is ECC or Elliptic Curve Cryptography, which uses block ECC enabled TLS.  It uses significantly less CPU cycles, and is very scalable..

ECC 256 bit uses a more advanced algorithm than RSA 2048 bit, but uses a smaller key (only 256 bits).  Therefore it uses fewer CPU cycles to encrypt data, which improves website performance.

ECC 256 bit is 64,000 harder to crack than standard RSA 2048 bit.  Therefore in security terms, ECC is the best option.

We can install Hybrid certificates with an RSA root, and signed by an ECC key.

 

Known Issues

RSA is widely deployed by legacy browsers.

Only TLS 1.2 supports the latest and fastest ciphers.

Some Android devices incorrectly generated random values with ECC.

 

Conclusion

RSA is too expensive to use for security above RSA 2048.

Implement TLS 1.2.

Move to Elliptic Curve algorithms.

 

Reference

Gilchrist A.  (2017).  The Concise Guide to SSL/TLS for DevOps.  2nd end. RG Consulting

https://www.amazon.co.uk/Concise-Guide-SSL-TLS-DevOps/dp/1521278628/

 

 

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: